Security Advisory - Published 2026-06-11 - Kubernetes / Fission
Fission CVE batch: Kubernetes serverless tenant-boundary self-check
Fission published a large advisory set around router exposure, archive storage, function runtime permissions, podSpec passthrough, namespace validation, and package handling. If Fission runs in a shared cluster, the business risk is tenant boundary failure: one function author getting more Kubernetes reach than the platform intended.
Group the alerts by action
| Area | CVEs | What to verify |
|---|---|---|
| Router and internal function routes | CVE-2026-46614 | Router exposure, ingress paths, and whether internal function routes are reachable outside trusted sources. |
| Storage, builder, and runtime secrets | CVE-2026-46612, CVE-2026-46617, CVE-2026-46618 | Storage service access, builder command validation, and runtime service account permissions inside function namespaces. |
| Environment and Function podSpec safety | CVE-2026-50545, CVE-2026-50563, CVE-2026-50564, CVE-2026-50566 | Host namespaces, hostPath, privileged mode, serviceAccountName, and dangerous capabilities. |
| Namespace and reference validation | CVE-2026-49821, CVE-2026-49822, CVE-2026-49823, CVE-2026-49824 | Package, secret, configmap, environment, and KubernetesWatchTrigger namespace boundaries. |
| Archive and capability handling | CVE-2026-50567, CVE-2026-50570 | Package archive extraction paths and capability allow/deny behavior. |
Version check
fission version
kubectl get deploy,svc,ingress -n fission
helm list -A | grep -i fission Several fixes land across 1.23.0, 1.24.0, and 1.25.0. For production clusters, target the newest supported Fission release you can run, then verify the router, webhook, executor, storage service, and builder components restarted.
Cluster exposure checks
kubectl get svc -n fission -o wide
kubectl get ingress -A | grep -i fission
kubectl get networkpolicy -n fission
kubectl auth can-i create environments.fission.io --as system:serviceaccount:default:example Focus on who can create or update Fission Environment, Function, Package, and KubernetesWatchTrigger resources. If many developer identities can create these resources, treat the upgrade as urgent even when the public internet cannot reach the cluster.
What to review after patching
- Fission router services should not expose internal function routes through the public listener.
- NetworkPolicy should restrict internal Fission services to expected controller and trigger pods.
- Admission webhooks should validate create and update operations.
- Function, Environment, Package, Secret, ConfigMap, and KWT references should stay inside intended namespaces.
- Runtime and builder pods should not inherit broad service account permissions unless the function explicitly requires them.
- Package archives and deployment URLs should be treated as untrusted input.
Ping7 repair path
Ping7 can help review Fission version state, ingress exposure, RBAC, NetworkPolicy, service account scope, and suspicious function/package history. Use CVE Repair for owned clusters or client-approved environments, and include your Fission version, installation method, and whether the cluster is multi-tenant.